Go version in restic

Hi, we are using restic latest version 0.12.0 which has go 1.15.8.

bash:/# restic version
restic 0.12.0 compiled with go1.15.8 on linux/amd64

Our scanning tool is reporting a high vulnerability with go related to the below CVE: NVD - CVE-2021-27918 which is fixed in 1.15.9 version of go. we have 30 days to fix this and looking for help in this forum to see if there are any options to fix this or any eta on next release of restic and if that will have go 1.15.9. Thank you!

If you’re in a hurry you can just build it from source super easy: Installation — restic 0.12.0 documentation There’s no ETA on a new release at this point.

Thank you!

Actually the linked CVE is talking about a vulnerability of the encoding/xml package, which is not imported by restic.

But anyway, like mentioned, it’s very easy to recompile :+1:

Might it be imported by dependencies/descendants to the libraries restic imports, though?

Seems like. At least go list all shows encoding/xml. I didn’t dig into it but I would guess it is used within some storage backend.

The vulnerability can lead to an infinite loop, so if you are worried about is and not able to re-compile your restic, you should monitor your restic runs to identify such an infinite loop.

1 Like